b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Some Taxpayers Were Not Appropriately\n                  Notified When Their Personally Identifiable\n                   Information Was Inadvertently Disclosed\n\n\n\n                                           May 24, 2011\n\n                              Reference Number: 2011-40-054\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 1 = Tax Return/Return Information\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                    HIGHLIGHTS\n\n\nSOME TAXPAYERS WERE NOT                                    the disclosures because only tax account\nAPPROPRIATELY NOTIFIED WHEN                                information was disclosed and IRS\nTHEIR PERSONALLY IDENTIFIABLE                              procedures did not include tax account\nINFORMATION WAS INADVERTENTLY                              information in its definition of Personally\n                                                           Identifiable Information.\nDISCLOSED\n                                                       \xe2\x80\xa2   20 (74 percent) of the 27 incidents in the\n                                                           98 incidents sampled that required taxpayer\nHighlights                                                 notification were not sent timely. TIGTA\n                                                           considered notifications timely if taxpayers\nFinal Report issued on May 24, 2011                        were sent notifications within 45 days of the\n                                                           date the incident was reported to or\nHighlights of Reference Number: 2011-40-054                identified by the IRS. The notification letters\nto the Internal Revenue Service Deputy                     in the sample averaged 86 days.\nCommissioner for Operations Support.\n                                                       In addition, TIGTA reconciliations performed\nIMPACT ON TAXPAYERS                                    on the four systems the IRS uses to capture\n                                                       disclosure incident-related information\nTaxpayers need to be assured that the Internal         identified 815 missing incidents.\nRevenue Service (IRS) will promptly notify them\nof inadvertent disclosures of their Personally         WHAT TIGTA RECOMMENDED\nIdentifiable Information so they can take the\nnecessary steps to protect themselves from             TIGTA recommended that the IRS 1) educate\nidentity theft or other harm. The IRS has many         employees on the importance of obtaining\nprocesses and regulations that protect taxpayer        sufficient information on individuals whose\ninformation, but there are times when taxpayer         Personally Identifiable Information was\ninformation is inadvertently disclosed.                disclosed, 2) revise procedures to include tax\n                                                       account information in the Personally Identifiable\nWHY TIGTA DID THE AUDIT                                Information definition and to forward disclosure\n                                                       incidents to the IRS\xe2\x80\x99s Identity Theft Program for\nMore than 142 million taxpayers entrust the IRS        victims of identity theft, 3) implement a\nwith sensitive financial and personal data. The        timeliness measure, and 4) implement sufficient\nobjective of this audit was to determine whether       controls to ensure that all incidents are\nthe IRS is making appropriate decisions to             accurately documented and considered.\npromptly and properly notify taxpayers of\ninadvertent disclosures of their tax information.      In the response to the report, the IRS agreed to\n                                                       the recommendations. The IRS has\nWHAT TIGTA FOUND                                       implemented a protection campaign to educate\n                                                       employees on data protection and plans to study\nTIGTA reviewed a statistical sample of 98 case\n                                                       whether tax account information should be\nfiles of incidents reported as inadvertent\n                                                       included in the definition of Personally\ndisclosures in Fiscal Years 2009 and 2010 and\n                                                       Identifiable Information. In addition, the IRS\nfound not all taxpayers were properly and/or\n                                                       plans to strengthen procedures to address\ntimely notified of disclosures.\n                                                       identity theft and expand current time metrics to\n\xe2\x80\xa2   Five (5 percent) of 98 incidents were closed       include the elapsed time between initial incident\n    and taxpayers were not properly notified of        reporting and taxpayer notifications date. It\n    the disclosures because IRS employees              plans to consolidate all systems data for the\n    reporting the disclosures did not document         most serious incidents.\n    the identity of the individuals whose\n    Personally Identifiable Information had been\n    disclosed.\n\xe2\x80\xa2   10 (10 percent) of 98 incidents were closed\n    and taxpayers were not properly notified of\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            May 24, 2011\n\n\n MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Some Taxpayers Were Not Appropriately\n                             Notified When Their Personally Identifiable Information Was\n                             Inadvertently Disclosed (Audit # 201040050)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n is making appropriate decisions to promptly and properly notify taxpayers of inadvertent\n disclosures of their tax information. This audit is included in our Fiscal Year 2011 Annual Audit\n Plan and addresses the major management challenge of Taxpayer Protection and Rights.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VII.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. Please contact me at (202) 622-6510 if you have questions or\n Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account\n Services), at (202) 622-5916.\n\x0c                                 Some Taxpayers Were Not Appropriately Notified\n                                When Their Personally Identifiable Information Was\n                                            Inadvertently Disclosed\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 6\n          The Disclosure Notification Process Needs Improvement\n          to Ensure Taxpayers Are Appropriately Notified\n          of Inadvertent Disclosures ............................................................................ Page 6\n                    Recommendations 1 and 2: .............................................. Page 16\n\n                    Recommendation 3:........................................................ Page 17\n\n          Multiple Information Systems and Manual Processes Increase\n          the Risk That Not All Incidents Are Considered and Controlled ................. Page 17\n                    Recommendation 4:........................................................ Page 21\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 22\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 25\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 26\n          Appendix IV \xe2\x80\x93 Outcome Measures............................................................... Page 27\n          Appendix V \xe2\x80\x93 Internal Revenue Service Employee Instructions\n          on Reporting Inadvertent Disclosures ........................................................... Page 29\n          Appendix VI \xe2\x80\x93 Flowchart of the Disclosure Notification Process ............... Page 30\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ..................... Page 31\n\x0c         Some Taxpayers Were Not Appropriately Notified\n        When Their Personally Identifiable Information Was\n                    Inadvertently Disclosed\n\n\n\n\n                  Abbreviations\n\nCSIRC       Computer Security Incident Response Center\nIRS         Internal Revenue Service\nOMB         Office of Management and Budget\n\x0c                         Some Taxpayers Were Not Appropriately Notified\n                        When Their Personally Identifiable Information Was\n                                    Inadvertently Disclosed\n\n\n\n\n                                       Background\n\nIdentity theft is the number one consumer complaint nationwide. Identity theft occurs when\nsomeone uses Personally Identifiable Information, such as an individual\xe2\x80\x99s name or Social\n                                               Security Number, credit card numbers, or other\n  Personally Identifiable Information          account information, to commit fraud and other\n  includes an individual\xe2\x80\x99s:\n                                               crimes. Another person\xe2\x80\x99s Social Security\n  \xe2\x80\xa2 Name.\n  \xe2\x80\xa2 Address.                                   Number is the most valuable tool an identity\n  \xe2\x80\xa2 E-mail Address.                            thief can obtain to commit financial fraud, and\n  \xe2\x80\xa2 Social Security Number.                    the Social Security Number becomes even more\n  \xe2\x80\xa2 Telephone Number.                          valuable if it is linked to other personal data of\n  \xe2\x80\xa2 Bank Account Number.                       the Social Security Number owner, such as\n  \xe2\x80\xa2 Date and Place of Birth.                   information required to prepare a tax return.\n  \xe2\x80\xa2 Mother\xe2\x80\x99s Maiden Name.                      While the overall number of identity theft\n  \xe2\x80\xa2 Biometric Data (e.g., height, weight, eye\n      color, finger prints).\n                                               complaints dropped from Calendar Year 2009 to\n                                               Calendar Year 2010, identity theft remains the\n                                               single largest type of complaint submitted to the\nFederal Trade Commission\xe2\x80\x99s Consumer Sentinel Network with more than 1.3 million complaints\nreceived since Calendar Year 2006.\nMore than 142 million taxpayers entrust the Internal Revenue Service (IRS) with sensitive\nfinancial and personal data. The IRS has many processes and regulations that protect taxpayer\ninformation, but there are times where taxpayer information is inadvertently disclosed. For\nexample, an employee could inadvertently include Jane Smith\xe2\x80\x99s tax return in an envelope with\nMary Smith\xe2\x80\x99s tax return and send it to Mary\xe2\x80\x93thus inadvertently disclosing Jane\xe2\x80\x99s Personally\nIdentifiable Information to Mary. Alternatively, at the taxpayer\xe2\x80\x99s request, the IRS could fax a\ncopy of the taxpayer\xe2\x80\x99s tax return but use an incorrect fax number. When inadvertent disclosures\nhappen and the risk of identity theft or other harm is likely, taxpayers need to be assured that the\nIRS will promptly notify them so they can take the necessary steps to protect themselves from\nidentity theft or other harm.\n\nLaws and regulations\nVarious laws require that Federal Government agencies protect Personally Identifiable\nInformation and implement programs to provide security for Personally Identifiable Information\nand the systems on which it resides. In addition, the Internal Revenue Code prohibits the\nunauthorized disclosure of taxpayer information. Figure 1 provides a list of the various laws and\nregulations on disclosure of Personally Identifiable Information and/or taxpayer information.\n\n\n                                                                                              Page 1\n\x0c                                     Some Taxpayers Were Not Appropriately Notified\n                                    When Their Personally Identifiable Information Was\n                                                Inadvertently Disclosed\n\n\n\n        Figure 1: Laws and Regulations Regarding Disclosure of Taxpayer Information\n         Privacy Act of 19741            With specifically mentioned exceptions, no agency shall disclose any\n                                         record which is contained in a system of records,2 except pursuant to\n                                         a written request by, or with the prior written consent of, the\n                                         individual to whom the record pertains.\n                                         Agencies with systems of records (e.g., taxpayer information) must\n                                         establish appropriate administrative, technical, and physical\n                                         safeguards to ensure the information contained in the records\n                                         remains secure and confidential. This includes protecting the\n                                         information against threats or hazards which could result in\n                                         substantial harm, embarrassment, inconvenience, or unfairness to\n                                         any individual on whom the agency maintains information.\n                                         In addition, each agency shall keep an accurate accounting of the\n                                         date, nature, and purpose of each disclosure to any person or\n                                         agency, as well as the name and address of the person or agency to\n                                         whom disclosure is made.\n\n         E-Government Act                This Act established a Federal Chief Information Officer within the\n                3\n         of 2002                         Office of Management and Budget to improve the methods by which\n                                         Government information, including information on the Internet, is\n                                         organized, preserved, and made accessible to the public. It\n                                         established a framework of measures that require using\n                                         Internet-based information technology to improve citizen access to\n                                         Government information and services and for other purposes.\n\n\n         Federal Information             This Act recognized the importance of information security to the\n         Security Management Act         economic and national security interests of the United States. The\n         of 20024                        Act requires each Federal agency to develop, document, and\n                                         implement an agency-wide program to provide information security\n                                         for the information and information systems that support the\n                                         operations and assets of the agency, including those provided or\n                                         managed by another agency, contractor, or other source.\n\n\n\n\n1\n  5 U.S.C. Section 552a (2006).\n2\n  The Privacy Act defines a system of records as a group of any records under the control of any agency from which\ninformation is retrieved by the name of the individual or by some identifying number, symbol, or other identifying\nparticular assigned to the individual.\n3\n  Pub. L. 107-347, 116 Stat. 2899; 44 U.S.C. Section 101.\n    H                H    H     H\n\n\n\n\n4\n  44 U.S.C. Sections 3541 - 3549.\n                                                                                                          Page 2\n\x0c                           Some Taxpayers Were Not Appropriately Notified\n                          When Their Personally Identifiable Information Was\n                                      Inadvertently Disclosed\n\n\n\n   Internal Revenue Code       Tax return information is confidential and no officer or Federal\n   Section 6103                employee should disclose tax return information except as\n                               authorized.\n                               Section 6103(c) authorizes the Department of the Treasury\n                               Secretary to prescribe requirements and conditions that would allow\n                               officers and Federal employees to disclose tax return information to\n                               persons the taxpayer designates in a request for, or consent to, such\n                               disclosure.\n\n   Internal Revenue Code       Section 7216 applies to any person who is engaged in the business\n   Section 7216                of preparing or providing services in connection with the preparation\n                               of tax returns for compensation. Any such person who knowingly or\n                               recklessly discloses any information furnished to him or her for, or in\n                               connection with, the preparation of any such tax return, or uses any\n                               such information for any purpose other than to prepare, or assist in\n                               preparing, any such return, shall be guilty of a misdemeanor.\n\n Source: Laws as cited.\n\nOffice of Management and Budget guidance\nThe Office of Management and Budget (OMB) has also issued numerous memoranda to Federal\nagencies providing guidance on how to handle and report disclosures. On July 12, 2006, the\nOMB issued Memorandum 06-19 (M-06-19), \xe2\x80\x9cReporting Incidents Involving Personally\nIdentifiable Information and Incorporating the Cost for Security in Agency Information\nTechnology Investments,\xe2\x80\x9d to Chief Information Officers stating that agencies are:\n       . . . to report all incidents involving Personally Identifiable Information (PII) to the\n       United States Computer Emergency Readiness Team (US-CERT) within one hour of\n       discovering the incident \xe2\x80\xa6 and should not distinguish between suspected and confirmed\n       breaches.\nOn May 22, 2007, the OMB issued Memorandum 07-16 (M-07-16), \xe2\x80\x9cSafeguarding Against and\nResponding to the Breach of Personally Identifiable Information.\xe2\x80\x9d This memorandum requires\nagencies to develop and implement a breach notification policy and outlines the framework\nwithin which agencies must develop this policy while ensuring proper safeguards are in place to\nprotect the information. All Federal information and information systems are subject to the\nprivacy and security requirements addressed in OMB M-07-16. Breaches subject to notification\nrequirements include both electronic systems as well as paper documents.\nAgencies must determine whether notification of a breach is required, stating:\n       . . . the agency should first assess the likely risk of harm caused by the breach and then\n       assess the level of risk. Agencies should consider a wide range of harms, such as harm to\n       reputation and the potential for harassment or prejudice, particularly when health or\n       financial benefits information is involved in the breach. Agencies should bear in mind\n\n                                                                                                   Page 3\n\x0c                         Some Taxpayers Were Not Appropriately Notified\n                        When Their Personally Identifiable Information Was\n                                    Inadvertently Disclosed\n\n\n\n       that notification when there is little or no risk of harm might create unnecessary concern\n       and confusion. Additionally, under circumstances where notification could increase a\n       risk of harm, the prudent course of action may be to delay notification while appropriate\n       safeguards are put in place.\n\nThe Privacy, Information Protection, and Data Security Office\nIn Fiscal Year 2007, the IRS established the Privacy, Information Protection, and Data Security\nOffice. Its mission supports four key programs.\n   \xe2\x80\xa2   Privacy Policy to promote the protection of individual privacy and integrate privacy into\n       business practices, behaviors, and technology solutions.\n   \xe2\x80\xa2   Identity Protection to identify risks and reduce vulnerabilities for identity theft.\n   \xe2\x80\xa2   Incident Management to improve victim assistance.\n   \xe2\x80\xa2   Online Fraud Detection and Prevention to reduce online fraud against the IRS and\n       taxpayers.\nThe Privacy and Information Protection Office is responsible for the Privacy Policy, Identity\nProtection, and Incident Management Programs. This Office develops and implements an\nenterprise-wide approach to privacy and information protection of taxpayer and employee\ninformation, supports identity theft initiatives such as implementing a number of indicators to\nmark taxpayer accounts affected by identity theft, and manages the IRS\xe2\x80\x99s process for responding\nto the loss of Personally Identifiable Information.\nThe Incident Management Program is responsible for ensuring IRS incidents involving the loss,\ntheft, or disclosure of Personally Identifiable Information and the loss or theft of an IRS asset are\ninvestigated, analyzed, and resolved. Risk assessments are completed to evaluate the likely risk\nof harm, specifically the potential for identity theft. Potentially affected individuals who are\ndetermined to be at high risk of harm are notified without unreasonable delay. This office\nmanages the reporting, taxpayer notification, and tracking of data loss incidents (Disclosure\nNotification Process) in accordance with OMB M-07-16.\nThis review was performed at the IRS National Headquarters in Washington, D.C., in the\nPrivacy, Information Protection, and Data Security Office and the Incident Management\nProgram during the period July 2010 to February 2011. We also held discussions and/or\nobtained documentation from the Office of Technology Computer Security Incident Response\nCenter, the Small Business/Self-Employed Division Disclosure Office, and the Wage and\nInvestment Division Office of Taxpayer Correspondence. We conducted this performance audit\nin accordance with generally accepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions based on our\n                                                                                              Page 4\n\x0c                        Some Taxpayers Were Not Appropriately Notified\n                       When Their Personally Identifiable Information Was\n                                   Inadvertently Disclosed\n\n\n\naudit objective. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                          Page 5\n\x0c                                Some Taxpayers Were Not Appropriately Notified\n                               When Their Personally Identifiable Information Was\n                                           Inadvertently Disclosed\n\n\n\n\n                                         Results of Review\n\nThe Disclosure Notification Process Needs Improvement to Ensure\nTaxpayers Are Appropriately Notified of Inadvertent Disclosures\nOur review of a statistical sample of 98 case files of incidents reported as inadvertent disclosures\nin Fiscal Years 2009 and 2010 found that not all taxpayers were properly and/or timely notified\nof disclosures.\n       \xe2\x80\xa2   5 (5 percent) of 98 incidents were closed and taxpayers were not properly notified of the\n           disclosures because IRS employees reporting the disclosure did not document the identity\n           of the individuals whose Personally Identifiable Information had been disclosed.\n       \xe2\x80\xa2   10 (10 percent) of 98 incidents were closed and taxpayers were not properly notified of\n           the disclosures because only tax account information was disclosed and IRS procedures\n           did not include tax account information in its definition of Personally Identifiable\n           Information.\n       \xe2\x80\xa2   20 (74 percent) of the 27 incidents in the 98 incidents sampled that required taxpayer\n           notification were not sent timely. We considered notifications timely if taxpayers were\n           sent notifications within 45 days of the date the incident was reported to or identified by\n           the IRS. The notification letters in the sample averaged 86 days.\nTwenty-one (21 percent) of 98 incidents were also closed without the IRS notifying taxpayers\nthat their Personally Identifiable Information had been disclosed because the disclosure was\nmade to individuals with power of attorney5 responsibilities, State agencies, law firms, or payroll\nprocessors. The IRS considers that these individuals and businesses do not pose a likely risk of\nidentity theft or other harm to taxpayers. In addition, in **************1***************\n*********************************1*****************************but the IRS took\nno further action on the case.\nIRS records show that there were 4,081 inadvertent disclosures processed in Fiscal Years 2009\nand 2010. Of these, 1,493 incidents required that 2,812 taxpayers be notified.6 Without\nimprovements to the Disclosure Notification Process, there is no assurance that all taxpayers who\nhave had their Personally Identifiable Information inadvertently disclosed by the IRS will be\nproperly identified and/or notified timely. Therefore, taxpayers may not take the proper\nprecautions needed to protect themselves from identity theft or other harm.\n\n5\n    Taxpayers grant a power of attorney to an individual so that individual can represent the taxpayer before the IRS.\n6\n    Each incident may affect more than one taxpayer.\n                                                                                                                Page 6\n\x0c                           Some Taxpayers Were Not Appropriately Notified\n                          When Their Personally Identifiable Information Was\n                                      Inadvertently Disclosed\n\n\n\nManagement controls should provide reasonable assurance that all disclosures are appropriately\nrecorded and considered. Systems used to record and track disclosures need to be complete and\naccurate with sufficient reviews to ensure all actions have been appropriate. Activities need to\nbe established to monitor performance measures and indicators.\nIn Fiscal Year 2007, the IRS created the Incident Management Program to manage the\nreporting and notification for data loss incidents in accordance with OMB M-07-16\nIn September 2007, the IRS established the Incident Management Program to manage the IRS\xe2\x80\x99s\nPersonally Identifiable Information Incident Notification Process for taxpayers and employees\npotentially affected by IRS data loss incidents. In 3 years, the IRS has:\n    \xe2\x80\xa2   Developed procedures to comply with applicable laws and regulations.\n    \xe2\x80\xa2   Developed various management information systems to report, control, and track\n        disclosures and data losses.\n    \xe2\x80\xa2   Provided guidance to IRS employees on disclosures and how to report them.7\n    \xe2\x80\xa2   Established the Disclosure Notification Process and developed user desk guides and\n        manuals for employees to follow when investigating, analyzing, and resolving incidents.\nIn Fiscal Year 2009, the IRS took several steps to improve its ability to report and assess\npotential breaches of Personally Identifiable Information. It revised incident reporting\nprocedures, and due to the volume and complexity of taxpayer correspondence, determined that\nall taxpayer correspondence issues should first be reviewed by the IRS\xe2\x80\x99s Office of Taxpayer\nCorrespondence.8\nThe Disclosure Notification Process\nWhen sensitive information is lost, stolen, or inadvertently disclosed in any way, whether it be\nelectronically, verbally, or in hardcopy form, IRS employees are required to report the incident\nwithin 1 hour. IRS guidelines state:\n        The timely reporting within one hour of all information losses or thefts is critical. This is\n        so that any needed investigation can be initiated quickly to decrease or mitigate the\n        possibility the information will be compromised and used to perpetrate identity theft or\n        other forms of fraud.\nIf an employee sees indications of an intentional unauthorized disclosure, the incident must be\nreported to the Treasury Inspector General for Tax Administration as soon as possible.\n\n\n\n7\n See Appendix V for a description of the IRS Employee Instructions on Reporting Inadvertent Disclosures.\n8\n The Office of Taxpayer Correspondence provides comprehensive correspondence services\xe2\x80\x94from design and\ndevelopment to effectiveness and downstream impact.\n                                                                                                      Page 7\n\x0c                             Some Taxpayers Were Not Appropriately Notified\n                            When Their Personally Identifiable Information Was\n                                        Inadvertently Disclosed\n\n\n\nThe IRS determined that incidents involving notices should be submitted to the IRS Office of\nTaxpayer Correspondence. Employees in the Office of Taxpayer Correspondence determine if\nthe disclosure meets criteria and if it does, the incident is reported to the Computer Security\nIncident Response Center (CSIRC). The CSIRC is a centralized reporting facility for all\ncomputer security privacy incidents.\nThe following are the steps in the Disclosure Notification Process for incidents not related to\nnotices:9\n\nStep One         When disclosure incidents involving Personally Identifiable Information occur,\n                 the incident is reported to the CSIRC. IRS employees report the incident using\n                 the CSIRC online reporting form or by calling 866-216-4809. The completed\n                 form is electronically submitted through the CSIRC portal creating a systemically\n                 numbered email to the CSIRC \xe2\x80\x9cDisclosure of Sensitive Data\xe2\x80\x9d mailbox.\nStep Two         An employee in the Incident Management Program reviews the incident report\n                 emails received in the CSIRC \xe2\x80\x9cDisclosure of Sensitive Data\xe2\x80\x9d mailbox. An initial\n                 assessment is performed to determine if Personally Identifiable Information or\n                 \xe2\x80\x9cSensitive But Unclassified\xe2\x80\x9d data are involved. If the incident appears to be an\n                 inadvertent unauthorized disclosure, it is entered into the CSIRC centralized\n                 Incident Tracking System10 maintained by the IRS Modernization and Information\n                 Technology Services organization.\nStep Three       The Incident Tracking System automatically assigns an Incident Response\n                 number to the new incident created and generates an email that is forwarded to the\n                 Incident Management Program \xe2\x80\x9cPersonally Identifiable Information\xe2\x80\x9d mailbox.\n                 The email contains an incident summary to notify Incident Management Program\n                 employees a new incident has been created. To obtain incident details, an\n                 Incident Management Program employee emails the reporting employee and\n                 manager to request completion of the Personally Identifiable Information\n                 Analysis Template and the Impacted Taxpayer Data Spreadsheet.\nStep Four        The Incident Tracking System is accessed to obtain incident details needed to\n                 establish a new incident on the E-Trak System.11 The E-Trak System is used to\n                 control and track data breach, disclosure, loss, and theft incidents reported\n                 through the CSIRC. Incident Management Program employees perform a second\n                 assessment to evaluate the risk of harm for all reported IRS data loss incidents\n                 involving Personally Identifiable Information, based on standardized factors and\n\n9\n  See Appendix VI for a flowchart of the Disclosure Notification Process.\n10\n   The Incident Tracking System provides an automated process to capture, process, and track incident data and\ngenerate reports.\n11\n   The E-Trak System is an off-the-shelf case-tracking tool used to respond to a public law.\n                                                                                                           Page 8\n\x0c                        Some Taxpayers Were Not Appropriately Notified\n                       When Their Personally Identifiable Information Was\n                                   Inadvertently Disclosed\n\n\n\n              ratings criteria. After complete analysis, they will code the incident:\n              Orange Incident does not contain Personally Identifiable Information, so there is\n                     no risk of identity theft or other harm. Notification letters are not\n                     required.\n              Green     The risk of identity theft or other harm is unlikely. Notification letters\n                        are not required.\n              Red       The risk of identity theft or other harm is likely. Notification letters are\n                        required. Some cases are coded Red-No Notification if the risk of\n                        identity theft or harm is likely but the reporting business unit is unable to\n                        provide the names and Social Security Numbers of the potentially\n                        affected individuals.\n              Blue      This data loss could compromise national security, is grand jury, or\n                        could compromise an ongoing investigation.\n              Incidents coded Orange and Red - No Notification are updated on the E-Trak\n              System and closed without further actions. Code Blue incidents are forwarded to\n              an Executive Team. Executive Summary Reports are generated for incidents\n              coded Green and Red.\nStep Five     Incidents coded Green and Red are forwarded to the Incident Management\n              Working Group for review. When approved, incidents coded Green are updated\n              on the E-Trak System and closed. Incidents coded Red are updated on the E-Trak\n              System and forwarded for additional review and approval.\nStep Six      Incidents coded Red are presented to IRS executives who are members of the\n              Privacy and Information Protection Advisory Committee for approval and\n              concurrence. If all concur, the potentially affected individuals are then notified of\n              the data loss via Incident Management Breach Notification Letter (Letter 4281C).\n              The IRS also offers taxpayers 1 year of free credit report monitoring through a\n              national credit reporting bureau. In addition, it inputs an identity theft data loss\n              indicator on the taxpayers\xe2\x80\x99 accounts so the IRS can identify a taxpayer whose\n              Personally Identifiable Information was lost or disclosed because of an IRS data\n              loss incident. The E-Trak System is updated and the cases are closed.\n\nThe IRS codes incidents Orange or Green in four circumstances and will not send\nnotifications\nGuidance from the OMB states that upon learning of a disclosure, agencies should assess the\nlikelihood that Personally Identifiable Information will be or has been used by unauthorized\nindividuals. This is a difficult standard to measure because the IRS cannot know if those who\n\n                                                                                              Page 9\n\x0c                            Some Taxpayers Were Not Appropriately Notified\n                           When Their Personally Identifiable Information Was\n                                       Inadvertently Disclosed\n\n\n\ninadvertently come by another individual\xe2\x80\x99s Personally Identifiable Information or tax account\ninformation will use that information to cause harm. However, though there is a risk, it is\nreasonable to assume the risk is unlikely when a disclosure is inadvertently made to a third party\nthat routinely handles Personally Identifiable Information or tax information, or has a trusted\nrelationship with the IRS.\nAccordingly, when considering whether a taxpayer is likely to be at risk of identity theft or other\nharm, the Incident Management Program developed procedures that state it will code incidents\nOrange or Green (i.e., the IRS will not send notifications or place indicators on the accounts) in\nthe following four circumstances:\n     1. Where the IRS employee follows all IRS established procedures (e.g., mailed to address\n        of record; provided with an incorrect fax number; caller subsequently determined not\n        taxpayer after authentication requirements completed) but a disclosure of sensitive\n        information still occurs. These are to be coded Orange.\n     2. Where the IRS transmits taxpayer Personally Identifiable Information to registered\n        participants of the Income Verification Express Services Program.12 These are to be\n        coded Green.\n     3. Where the IRS sends the taxpayer\xe2\x80\x99s Personally Identifiable Information to an incorrect\n        employer (one in which the taxpayer has no current or past relationship) originating from\n        the IRS\xe2\x80\x99s Criminal Investigation Questionable Refund Detection Team or Accounts\n        Management function Taxpayer Assurance Program. These are to be coded Green.\n     4. Where the IRS inadvertently discloses taxpayer account information (i.e., unfiled return\n        or balance due information) to an individual who already has the personal or business\n        information and the information disclosed is not categorized as Personally Identifiable\n        Information. These are to be coded Orange.\nTwenty-one (21 percent) of 98 incidents sampled were closed without the IRS notifying\ntaxpayers that their Personally Identifiable Information had been disclosed to individuals and\nbusinesses that routinely handle Personally Identifiable Information and/or tax account\ninformation. The IRS considers certain third parties who routinely obtain or process Personally\nIdentifiable Information and/or tax account information, such as individuals with a power of\nattorney, State agencies, or payroll processors, to present little or no risk of identity theft or other\nharm to the taxpayer. Therefore, it was determined that it was not necessary to notify the\ntaxpayer of these disclosures.\n\n\n\n12\n  Taxpayers commonly request tax return transcripts for many reasons, including verifying income to obtain a loan.\nThey can order the transcripts directly from the IRS or others can order the transcripts on the taxpayer\xe2\x80\x99s behalf.\nLenders and other entities verify income information on behalf of a taxpayer through the IRS\xe2\x80\x99s Income Verification\nExpress Services Program.\n                                                                                                         Page 10\n\x0c                             Some Taxpayers Were Not Appropriately Notified\n                            When Their Personally Identifiable Information Was\n                                        Inadvertently Disclosed\n\n\n\nData loss indicators are posted only for individuals with IRS tax accounts\nA taxpayer\xe2\x80\x99s Master File13 account should be marked with the identity theft data loss indicator on\naccounts where Letter 4281C has been issued. Thirty-two taxpayers were sent notification letters\nrelated to the 27 incidents in our sample that required a Letter 4281C. Of the 32 individuals:\n     \xe2\x80\xa2   ***********************************1************************************\n         ***********************.\n     \xe2\x80\xa2   *************************************1*******************************.\nIndividuals who have had their Personally Identifiable Information disclosed may not have a tax\naccount. In most instances, these individuals are spouses, children, or dependents of the primary\ntaxpayer and the primary taxpayer has provided their names and Social Security Numbers on his\nor her tax return, which was inadvertently disclosed.\nThese spouses, children, or dependents may not currently have a filing obligation or have a tax\naccount. In instances where Personally Identifiable Information for a minor child has been\ndisclosed, notification letters are mailed to the parents, but credit monitoring is not provided if\nthe minor child is the only individual affected and a data loss indicator is not placed on a tax\naccount because the minor child does not have a tax account. The burden is shifted to the parent\nof a minor child to remain aware of consequences resulting from the inadvertent disclosure if and\nwhen they file a tax return of their own.\n\nNot all cases included the identity of the individual whose Personally Identifiable\nInformation was disclosed\nIn 5 (5 percent) of the 98 incidents, the incidents were\nclosed code Red but without the IRS notifying                Five percent of incidents sampled\ntaxpayers that their Personally Identifiable Information        were closed without the IRS\nhad been disclosed because the incident report did not        notifying taxpayers because the\n                                                             incident report did not include the\ninclude the identity of the individuals whose Personally      identity of the individuals whose\nIdentifiable Information had been disclosed. Projected       Personally Identifiable Information\nto the population of 4,081 inadvertent disclosures                   had been disclosed.\nprocessed in Fiscal Years 2009 and 2010, there may\nhave been 204 incidents where the IRS acknowledged\nPersonally Identifiable Information had been disclosed but the IRS did not notify the affected\ntaxpayers. This happened because IRS employees did not document the identities of the\nindividuals whose Personally Identifiable Information was disclosed, even though the taxpayers\xe2\x80\x99\nidentities were obtainable.\n\n\n13\n  The IRS database that stores various types of taxpayer account information. This database includes individual,\nbusiness, and employee plans and exempt organizations data.\n                                                                                                          Page 11\n\x0c                         Some Taxpayers Were Not Appropriately Notified\n                        When Their Personally Identifiable Information Was\n                                    Inadvertently Disclosed\n\n\n\nFor example, a taxpayer calls the toll-free telephone lines and asks what he or she should do with\na copy of another taxpayer\xe2\x80\x99s tax return when it was included in the envelope with the copy of the\ntax return he or she had requested. The assistor instructs the caller to mail it back to the IRS, but\nfails to ask for or document the name and Social Security Number of the taxpayer whose tax\nreturn was mistakenly included with the caller\xe2\x80\x99s.\nHowever, there may be times when the employee is unable to determine the identity of the\ntaxpayer whose information was inadvertently disclosed. For example, an employee may be\nstuffing notices into envelopes and realize, after the fact, a notice is missing and must have been\nstuffed into an envelope addressed to another taxpayer that had already gone out with the mail.\n\nTaxpayers are not always contacted when the only information disclosed is tax\naccount information\nIn 10 (10 percent) of the 98 incidents, tax account information was disclosed but the IRS closed\nthe incident without notifying taxpayers that their tax account information had been disclosed.\nThis happened because IRS procedures did not include tax account information in its definition\nof Personally Identifiable Information. Projected to the population of 4,081 inadvertent\ndisclosures processed in Fiscal Years 2009 and 2010, there may have been 408 incidents where\nthe IRS disclosed tax account information but the IRS did not notify the affected individuals.\nThis could occur when someone who has a relationship or prior relationship with a taxpayer\n(e.g., a spouse, former spouse, or business partner) calls the IRS asking for the taxpayer\xe2\x80\x99s\naccount information. The assistor follows all IRS procedures to authenticate the caller, only later\nto find that the caller is not the taxpayer. The Incident Management Program codes this type of\nincident Orange, \xe2\x80\x9cIncident does not contain Personally Identifiable Information, so there is no\nrisk of identity theft or other harm.\xe2\x80\x9d An Executive Summary Report will not be prepared for this\ntype of incident and the incident will be closed.\nHowever, Personally Identifiable Information includes any information about an individual\nmaintained by an agency, including any other information that is linked or linkable to an\nindividual, such as:\n   \xe2\x80\xa2   Medical.\n   \xe2\x80\xa2   Educational.\n   \xe2\x80\xa2   Financial.\n   \xe2\x80\xa2   Employment.\nTherefore, tax account information is Personally Identifiable Information. Assistors authenticate\ntaxpayers by asking their name, Social Security Number, address, date of birth, and filing status.\nA caller with a relationship to the taxpayer may know all this information. However, the caller\nmay be calling without the taxpayer\xe2\x80\x99s knowledge or permission to obtain information about the\n\n                                                                                             Page 12\n\x0c                           Some Taxpayers Were Not Appropriately Notified\n                          When Their Personally Identifiable Information Was\n                                      Inadvertently Disclosed\n\n\n\ntaxpayer\xe2\x80\x99s tax account. While these individuals may not intend to steal or assume the taxpayer\xe2\x80\x99s\nidentity, the taxpayer is at risk of other harm. For example, an ex-spouse or business partner\nmay be calling to obtain information on the taxpayer\xe2\x80\x99s current income. Once this information is\nobtained, these individuals may use this information for any number of purposes, including legal\nactions that could potentially harm the taxpayer.\nIn August 2009, private investigators were sentenced\nafter being convicted for illegally obtaining\nconfidential medical records, tax records, and                     Private investigators used\nemployment information by posing as the subjects of                illegal methods to illegally\ntheir investigations who had legitimate claim to the            obtain   confidential information\n                                                                      from Federal agencies.\nrecords. From January 2004 to May 2007, employees\nfrom a private investigation company posed as the\npeople they were investigating to trick the targets into\nreleasing sensitive information (e.g., Social Security Number, verifications, tax returns, and\nmedical histories) and selling this information to other private investigators, law firms, and\nothers. 14\nOMB guidance instructs agencies to consider a number of possible harms associated with the\nloss or compromise of information. Harm may include the:\n     \xe2\x80\xa2   Effect of a breach of confidentiality or fiduciary responsibility.\n     \xe2\x80\xa2   Potential for blackmail, the disclosure of private facts, mental pain, and emotional\n         distress.\n     \xe2\x80\xa2   Disclosure of address information for victims of abuse.\n     \xe2\x80\xa2   Potential for secondary uses of the information which could result in fear or uncertainty.\n     \xe2\x80\xa2   Unwarranted exposure leading to humiliation or loss of self-esteem.\nTaxpayer\xe2\x80\x99s account information is valuable information. Nevertheless, IRS procedures do not\nrequire that the taxpayer be notified when another individual has attempted to access his or her\ntax account information, but no other Personally Identifiable Information was disclosed. The\nIRS should notify taxpayers when someone else has accessed their tax accounts to ensure\ntaxpayers are aware of the incident and can take appropriate actions.\n\n\n\n\n14\n  United States Attorney\xe2\x80\x99s Office: Western District of Washington, News Release, TEN INDICTED FOR\nPRETEXTING IN \xe2\x80\x9cOPERATION DIALING FOR DOLLARS\xe2\x80\x9d: Defendants Would Adopt Various Identities to Get\nConfidential Tax, Medical and Employment Info (December 6, 2007), available at\nhttp://www.justice.gov/usao/waw/press/2007/dec/torrella.html\n                                                                                                Page 13\n\x0c                           Some Taxpayers Were Not Appropriately Notified\n                          When Their Personally Identifiable Information Was\n                                      Inadvertently Disclosed\n\n\n\nThere are limited procedures for the IRS to contact taxpayers who unknowingly\nmay be victims of identity theft\nThe IRS will notify a taxpayer (victim) by letter when someone may have attempted to use his or\nher Social Security Number for incidents resulting from the following:\n     \xe2\x80\xa2   Phishing and refund schemes.\n     \xe2\x80\xa2   Verified false returns.\n     \xe2\x80\xa2   Mixed entity research.\n     \xe2\x80\xa2   Certain unpostable returns.\n**************************************1**************************************\n********1*****************. The incident was coded Orange and the Incident Management\nProgram did not notify the taxpayer. Projected to the population of 4,081 inadvertent disclosures\nprocessed in Fiscal Years 2009 and 2010, there may have been 41 incidents in which the IRS\nbecame aware that a taxpayer\xe2\x80\x99s identity may have been stolen by an individual but the IRS did\nnot notify the taxpayer.\nThe information was also not reported to the IRS\xe2\x80\x99s Identity Theft Program because Disclosure\nNotification Process procedures do not require it. When the IRS learns that a taxpayer\xe2\x80\x99s identity\nmay have been stolen, the information should be referred to the Identity Theft Program for\nresolution, including determining if an identity theft indicator should be placed on the taxpayer\xe2\x80\x99s\naccount.\nWe have reported that the IRS needs to take more actions to address employment-related and tax\nfraud identity theft.15 The use of another person\xe2\x80\x99s Social Security Number to obtain employment\nis often done in conjunction with a name different from Social Security Administration records.\nThis is known as a Social Security Number/name mismatch. In these instances, the IRS and the\nSocial Security Administration do not associate the\nincome and benefits with the lawful taxpayer. The          Serious problems develop for lawful\nnumber of Wage and Tax Statements (Form W-2)                  taxpayers when both their name\n                                                             and Social Security Numbers are\nwith Social Security Number/name mismatches is              used by others to gain employment.\nsubstantial.\nWhile Social Security Number/name mismatches are\na significant problem for the IRS and the Social Security Administration, the more serious\nproblem develops for the lawful taxpayer when both their name and Social Security Number are\nused by someone else to gain employment. No action is taken to stop someone from continuing\n\n\n\n15\n  Outreach Has Improved, but More Action Is Needed to Effectively Address Employment-Related and Tax Fraud\nIdentity Theft (Reference Number 2008-40-086, dated March 25, 2008).\n                                                                                                   Page 14\n\x0c                             Some Taxpayers Were Not Appropriately Notified\n                            When Their Personally Identifiable Information Was\n                                        Inadvertently Disclosed\n\n\n\nto commit employment-related identity theft using another person\xe2\x80\x99s Social Security Number and\nname.\nThe IRS does not actively try to identify or stop an individual from committing identity theft.\nMoreover, the IRS does not notify the employer of the problem of their employee using someone\nelse\xe2\x80\x99s identity. Because the IRS and the Social Security Administration will assume the\ninformation on the Forms W-2 is accurate, the earnings resulting from the identity theft will be\nattributed to the lawful taxpayers for determining both Social Security benefits and tax liabilities.\nThe IRS generally does not pursue the taxes that may be due on income earned using a stolen\nidentity.\nWe have also reported that the IRS does not notify the taxpayer when there is evidence that the\ntaxpayer\xe2\x80\x99s identity has been stolen.16 The IRS has stated that the Social Security Administration\nhas a program in place called the Employee No-Match Letter that requests correct information\nfrom individuals. The IRS believes its involvement would possibly be a duplication of the Social\nSecurity Administration\xe2\x80\x99s efforts.\n\nTaxpayers are not always timely notified when their Personally Identifiable\nInformation has been inadvertently disclosed\nFrom our sample of 98 incidents, the IRS mailed notification letters to taxpayers for 27 of the\nreported incidents. In only 7 (26 percent) of 27 incidents, the notifications were mailed within\n45 days of the date the incident was reported to or identified by the IRS. See Figure 2 for a\nbreakdown of the number of days between the date the IRS was notified or identified the incident\nand the date the notifications were mailed.\n          Figure 2: Analysis of Days Between the Date the IRS Was Notified\n            or Identified and the Date the Notification Letters Were Mailed\n\n      Number of           1-45           46-75          76-100        101-150    More Than      Total\n      Days                Days           Days            Days          Days      150 Days     Incidents\n\n      Number of\n                            7               7              6                 3       4            27\n      Incidents\n\n     Source: Our analysis of 98 cases selected for the statistical sample.\n\nFor these 27 incidents, the time from the date the incident was reported or identified to the date\nthe notification letter was mailed ranged from 20 to 226 days\xe2\x80\x93with a median of 68 days and an\naverage of 86 days. The IRS has established a business measure for the Disclosure Notification\nProcess to notify potentially affected individuals with a median lapse time of 45 days from the\ndate reported to the CSIRC to the date the notification letter is mailed.\n\n16\n Procedures Need to Be Developed for Collection Issues Associated With Individual Taxpayer Identification\nNumbers (Reference Number 2010-40-040, dated March 29, 2010).\n                                                                                                       Page 15\n\x0c                          Some Taxpayers Were Not Appropriately Notified\n                         When Their Personally Identifiable Information Was\n                                     Inadvertently Disclosed\n\n\n\nThrough Fiscal Year 2010, the population of incidents the IRS used to determine the median\nincluded only the incidents input on the CSIRC and notification letters mailed within a fiscal\nyear (October 1 through September 30). If the notification letter was mailed in a subsequent\nfiscal year, it was not counted in either fiscal year.\nThe IRS is also not measuring the total time associated with processing the disclosures reported\nthrough the Office of Taxpayer Correspondence or other IRS offices or functions. For example,\nincidents reported through the Office of Taxpayer Correspondence are tracked from the date they\nare input into the CSIRC. This does not include the days the employees in the Office of\nTaxpayer Correspondence work the incidents.\nThe IRS needs a measure to determine if all incidents are reported timely. This will ensure\ntaxpayers are alerted to the risk in sufficient time to take precautions against identity theft or\nother harm.\n\nRecommendations\nThe Deputy Commissioner for Operations Support should:\nRecommendation 1: Educate employees on the importance of obtaining sufficient\ninformation on individuals whose Personally Identifiable Information was disclosed so they can\nbe notified of the disclosure and can take the necessary steps to protect themselves from identity\ntheft or other harm. The information should be documented when learning of a disclosure rather\nthan after the fact and include enough information to identify the taxpayer whose information\nwas disclosed and to whom it was disclosed.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       IRS recently implemented a Think Data Protection campaign, which consists of a series\n       of targeted employee communications using various media reaching across the IRS,\n       designed to education employees on the importance of protecting sensitive information\n       and reporting any losses or disclosures. In addition, the business units will continue to\n       emphasize the data that should be gathered and reported when an incident occurs.\nRecommendation 2: Revise procedures to: 1) ensure the definition of Personally Identifiable\nInformation includes tax account information so taxpayers whose tax account information has\nbeen disclosed will be appropriately notified of a disclosure and 2) include instructions to\nforward disclosure incidents to the IRS\xe2\x80\x99s Identity Theft Program when the Incident Management\nProgram learns that a taxpayer may already have been a victim of identity theft.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       During the assessment of a reported incident and the determination of whether\n       notification is appropriate, the IRS applies the OMB\xe2\x80\x99s definition of Personally\n       Identifiable Information. While the incidents noted in the report do not meet the\n       definition of a disclosure of Personally Identifiable Information, the IRS will study the\n\n                                                                                               Page 16\n\x0c                         Some Taxpayers Were Not Appropriately Notified\n                        When Their Personally Identifiable Information Was\n                                    Inadvertently Disclosed\n\n\n\n       possible expansion of the notification process to address these situations. As part of this\n       process, the IRS will strengthen procedures to coordinate with the appropriate function to\n       ensure identity theft is addressed. To date, the IRS has no evidence of an inadvertent\n       disclosure that has led to a taxpayer becoming a victim of identity theft.\n       Office of Audit Comment: The IRS stated that it applies the OMB\xe2\x80\x99s definition of\n       Personally Identifiable Information and that the incidents noted in the report do not meet\n       the definition of a disclosure of Personally Identifiable Information.\n       We believe that tax account information, which is financial information, is included in\n       the definition of Personally Identifiable Information. OMB M-07-16 defines Personally\n       Identifiable Information as \xe2\x80\x9cinformation which can be used to distinguish or trace an\n       individual\xe2\x80\x99s identity, such as their name, Social Security Number, biometric records, etc.\n       alone, or when combined with other personal or identifying information which is linked\n       or linkable to a specific individual, such as date and place of birth, mother\xe2\x80\x99s maiden\n       name, etc.\xe2\x80\x9d\n       The Guide to Protecting the Confidentiality of Personally Identifiable Information (The\n       U.S. Department of Commerce, Special Publication 800-122, April 2010) states that\n       Personally Identifiable Information is any information about an individual maintained by\n       an agency. This includes any information that is linked or linkable to an individual, such\n       as medical, educational, financial, and employment information.\n       In addition, the IRS stated in its response that to date, it has no evidence of an inadvertent\n       disclosure that has led to a taxpayer becoming a victim of identity theft. We reported that\n       in one incident sampled, **************************1************************\n       ****************1****************.\nRecommendation 3: Implement a timeliness measure to ensure taxpayers are timely notified\nand to gauge the overall performance of the Disclosure Notification Process, and include the\ntime the incident is being processed by the Office of Taxpayer Correspondence or other IRS\noffices or functions before it is reported to the CSIRC.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       Current reporting measures the elapsed time between the CSIRC report date and\n       notification letter date. Based on this measure, the IRS has demonstrated positive\n       performance in Fiscal Year 2011, averaging a 20-day response time through April 21,\n       2011. The IRS will expand its current metrics to include a broader organizational\n       measure that incorporates the elapsed time between initial incident reporting and taxpayer\n       notification dates.\n\n\n\n\n                                                                                            Page 17\n\x0c                         Some Taxpayers Were Not Appropriately Notified\n                        When Their Personally Identifiable Information Was\n                                    Inadvertently Disclosed\n\n\n\nMultiple Information Systems and Manual Processes Increase the\nRisk That Not All Incidents Are Considered and Controlled\nThere is no assurance that all disclosure incidents reported were considered and processed. A\ntest of 4,800 disclosure incidents reported on the CSIRC identified 898 missing reports.\nManagement controls should provide reasonable assurance that all disclosures are appropriately\nrecorded and considered. Systems used to record and track disclosures need to be complete and\naccurate. The Disclosure Notification Process management information systems need to be\nimproved to ensure all incidents are considered and appropriately processed, and that the IRS has\nsufficient data to effectively monitor the Process and ensure it is meeting all the objectives of the\nIncident Management Program.\nDisclosure incidents are processed using three systems\xe2\x80\x93the CSIRC email portal, the Incident\nTracking System, and the E-Trak System\xe2\x80\x93during the Disclosure Notification Process. The\nOffice of Taxpayer Correspondence uses a fourth system, the System for Tracking and Analysis\nof Correspondence Impact, to track the incidents that are reported to that office.\n   \xe2\x80\xa2   Each system is independent of the others and does not communicate with the others.\n   \xe2\x80\xa2   Data are manually keyed into the Incident Tracking System and the E-Trak System from\n       the emails generated by the CSIRC portal.\n   \xe2\x80\xa2   Three different numbering schemes are used to track the incidents. Only the Incident\n       Response number generated by the Incident Tracking System is used by the E-Trak\n       System. This makes it difficult to ensure all incidents are being considered and timely\n       processed.\nThe IRS does not reconcile the various systems to ensure the databases are complete and all\nincidents are processed. Because of the lack of reconciliation, the reliability of the databases is\nat risk.\nTesting of the System for Tracking and Analysis of Correspondence Impact showed that all\nincidents reported to the Office of Taxpayer Correspondence were appropriately reported to the\nCSIRC. However, reconciliations completed on the other three systems identified missing\nrecords.\nThe CSIRC Portal and Incident Tracking System\nA test of 4,800 CSIRC portal disclosure incident\n                                                        Seventeen percent of CSIRC portal\nemail reports identified that 898 (19 percent)            disclosure incident reports were\nincidents were not on the Incident Tracking System.              not controlled on the\nAfter researching the systems, the IRS was later able         Incident Tracking System.\nto find 86 of the 898 records. The actions taken on\nthe remaining 812 (17 percent) of the\n4,800 disclosure incidents reported through the CSIRC portal could not be determined.\n                                                                                             Page 18\n\x0c                          Some Taxpayers Were Not Appropriately Notified\n                         When Their Personally Identifiable Information Was\n                                     Inadvertently Disclosed\n\n\n\nThe CSIRC portal disclosure incident email reports are not tracked, controlled, or maintained for\nreview. CSIRC portal submissions are not stored in their own database. They are simply emails\ngenerated by the Portal form submission. The emails are reviewed and those that are considered\ndisclosure incidents are entered into the Incident Tracking System. When the Incident\nManagement Program employee determines the incident does not meet the definition of a\ndisclosure, the employee emails the individual reporting the incident that disclosure criteria has\nnot been met and no further action is being taken. Although the incident email is received by the\n\xe2\x80\x9cDisclosure of Sensitive Data\xe2\x80\x9d mailbox, the response emails to the reporting employee are from\nthe Incident Management Program employee\xe2\x80\x99s personal mailbox application and archived from\nthe analyst\xe2\x80\x99s mailbox.\nThe IRS does not quantify the total number of CSIRC disclosure incident email reports received,\nthe total number not meeting the disclosure criteria, or the total number meeting the criteria and\nelevated to be entered into the Incident Tracking System. There are no controls to ensure an\nincident report email is not deleted. The IRS cannot be assured all emails are reviewed. There\nare also currently no managerial or quality reviews of the CSIRC portal disclosure incidents\nreported to ensure the decisions are appropriate. This increases the risk that some affected\ntaxpayers might not be notified about an inadvertent disclosure of their Personally Identifiable\nInformation.\nThe Incident Tracking System and the E-Trak System\nA comparison of 4,321 Disclosure of Sensitive Data Incident Report Numbers in the Incident\nTracking System to the E-Trak System identified 3 (0.7 percent) incident records were not on the\nE-Trak System.\n   \xe2\x80\xa2   Three incidents were not transmitted from the Incident Tracking System to the Incident\n       Management Program mailbox to be worked and input to the E-Trak System. The IRS\n       has since input the incidents to the E-Trak System and is attempting to contact the\n       employees and managers to obtain additional information.\nA comparison of 4,081 E-Trak System disclosure incidents to the Incident Tracking System\nshowed only 1 incident was not recorded on the Incident Tracking System. This incident was\nerroneously input into the Incident Tracking System (i.e., it did not meet the criteria for a\ndisclosure) and was subsequently deleted from the Incident Tracking System. However, the\nE-Trak System was not updated to show the reason for the deletion.\n                                         The IRS is currently in the process of replacing the\n        A new process is being           CSIRC portal and Incident Tracking System. Submission\n    implemented so that incidents        of the CSIRC online reporting form will automatically\n      reported will automatically        populate a database generating an incident notification\n    populate a database, reducing        email to the Incident Management Program to control on\n   the risk that all incidents are not\n               controlled.               the E-Trak System. This will reduce the risk that all\n                                         reported incidents are not controlled. However, controls\n\n                                                                                          Page 19\n\x0c                        Some Taxpayers Were Not Appropriately Notified\n                       When Their Personally Identifiable Information Was\n                                   Inadvertently Disclosed\n\n\n\nwill need to be implemented to ensure all reported incidents are accounted for as meeting or not\nmeeting disclosure criteria and provide for a quality review of criteria decision accuracy.\nThe IRS should evaluate whether the current systems could be integrated or if systems can be\ndeveloped that allow for automatic updating and sharing information. This would reduce the\nneed to reconcile between the systems. In addition, the information from all the systems should\nbe used to measure the Disclosure Notification Process and assess how it can be improved. The\ninformation could also be useful in identifying trends in incidents. Management information is\nessential to make sound business decisions. Data must be accurate and complete.\n\nMultiple systems and manual processes reduce management\xe2\x80\x99s ability to\neffectively oversee the Disclosure Notification Process\nThere is no single system that tracks incidents from the time they occur and are reported to the\ntime the incidents are evaluated and closed. The IRS uses four independent systems to capture\ndisclosure incident-related information. This requires the use of time-consuming manual data\nentry, which is susceptible to transcription errors, to process the incidents. Detailed incident\ninformation cannot be easily organized, categorized, and accessed for trend analysis to enhance\nmanagement oversight.\nNone of the systems communicate with each other so the IRS does not have the ability to\ndetermine, for example:\n    \xe2\x80\xa2 The total number of disclosure incidents reported and how many resulted in notifications.\n    \xe2\x80\xa2 The causes of the disclosures.\n    \xe2\x80\xa2 The responsible office for the disclosure.\n    \xe2\x80\xa2 The most common types of disclosures.\nFurther, the IRS is not tracking whether incidents are being reported within 1 hour, as required.\nAs more time elapses between the disclosure incident and reporting, there is a greater likelihood\nthat the incident report will not include key data elements such as the individual\xe2\x80\x99s name and\nSocial Security Number. This is because the reporting person may not acquire and maintain the\naffected individual\xe2\x80\x99s key information. Without the key data elements, the IRS cannot properly\nnotify individuals who have had their information compromised.\nCurrently, any type of incident trend analysis would be very laborious because detailed incident\ninformation is stored in various systems, collected at different points in time, and not easily\naccessible. However, the data would be useful for management to analyze the Disclosure\nNotification Process and determine if it is meeting its objectives and goals and if the Process\ncould be more efficient or effective. The information could also be useful in educating\nemployees on how to avoid making inappropriate disclosures.\n\n\n                                                                                          Page 20\n\x0c                         Some Taxpayers Were Not Appropriately Notified\n                        When Their Personally Identifiable Information Was\n                                    Inadvertently Disclosed\n\n\n\nDisclosures related to taxpayer correspondence are to be reported first to the Office of\nTaxpayer Correspondence so that systemically generated notice issues can be quickly\nidentified and resolved\nIn our sample of 98 incidents, 41 (42 percent) incidents were reported through the Office of\nTaxpayer Correspondence. Not all of these cases were related to systemic issues. For example,\nthese cases typically involved letters addressed to an incorrect taxpayer or a letter for one\ntaxpayer that was erroneously included in the same envelope with another taxpayer\xe2\x80\x99s letter. An\nexample of a systemic issue is a computer program accidentally printing one taxpayer\xe2\x80\x99s\ninformation on another taxpayer\xe2\x80\x99s notice.\nThe Office of Taxpayer Correspondence reviews the reported incidents, obtains additional data\nfrom the individual who reported the incident, and for the incidents considered disclosures inputs\nthem into the CSIRC. The Office of Taxpayer Correspondence took an average of 39 days\xe2\x80\x94\nfrom 2 to 84 days\xe2\x80\x94to process the 41 incidents in our sample that originated in the Office of\nTaxpayer Correspondence. This time is not included in the IRS\xe2\x80\x99s business measure for\nDisclosure Notification Process timeliness.\nThe IRS should evaluate the information it has on disclosure incidents reported through the\nOffice of Taxpayer Correspondence to determine if the issues are predominantly systemic and\nwhether incidents related to individual notices should continue to be reported first to the Office\nof Taxpayer Correspondence.\n\nRecommendation\nRecommendation 4: The Deputy Commissioner for Operations Support should implement\nsufficient controls to ensure that all incidents are accurately documented, controlled, and\nconsidered and develop a management information system sufficient to oversee disclosure\nincidents. This would include an evaluation of whether one system can be developed to track\nincidents from IRS notification to closure. If multiple systems must be used, consideration\nshould be given to automatic updates between the systems to limit the need for manual\nreconciliations.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       IRS will be implementing the Threat Incident Response Center and consolidating data\n       from all systems for the most serious incidents. Routing reconciliations between systems\n       have found minimal differences between CSIRC reports and the risk assessment-tracking\n       database.\n\n\n\n\n                                                                                            Page 21\n\x0c                             Some Taxpayers Were Not Appropriately Notified\n                            When Their Personally Identifiable Information Was\n                                        Inadvertently Disclosed\n\n\n\n                                                                                                 Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is making appropriate\ndecisions to promptly and properly notify taxpayers of inadvertent disclosures of their tax\ninformation. To accomplish this objective, we:\nI.      Determined what IRS procedures and processes are in place to identify inadvertent\n        disclosures and to notify taxpayers.\n        A. Reviewed all applicable laws and regulations to gain a clear understanding and ensure\n           the IRS is appropriately adhering to them.\n        B. Reviewed IRS internal procedures and processes, including manuals, user guides, and\n           the IRS intranet.\n        C. Met with the appropriate IRS personnel to discuss and document the processes used\n           to identify inadvertent disclosures and notify taxpayers that their Personally\n           Identifiable Information has been disclosed.\n        D. Identified systems used to capture the incidents of inadvertent disclosure and to notify\n           taxpayers.\nII.     Determined whether the IRS is accurately controlling all reported disclosure incidents.\n        We identified all disclosure incidents on the following systems with the CSIRC1 portal\n        email date for the period October 1, 2008, to September 30, 2010. We assessed the\n        reliability of computer system data by performing electronic testing of required data\n        elements and interviewing agency officials knowledgeable about the data. We identified\n        deficiencies in the completeness of the data and made a recommendation to address those\n        deficiencies. We performed the following comparisons to validate whether all incidents\n        were accurately controlled.\n        A. Compared 4,800 disclosure incident emails submitted through the CSIRC portal to\n           4,321 Incident Tracking System2 disclosure incidents.\n        B. Compared 4,321 Incident Tracking System disclosure incidents to 4,081 E-Trak\n           System3 disclosure incidents.\n\n\n1\n  The CSIRC is the centralized reporting facility for all computer security privacy incidents.\n2\n  The Incident Tracking System provides an automated process to capture, process, and track incident data and\ngenerate reports.\n3\n  The E-Trak System is an off-the-shelf case-tracking tool used to respond to a public law.\n                                                                                                         Page 22\n\x0c                             Some Taxpayers Were Not Appropriately Notified\n                            When Their Personally Identifiable Information Was\n                                        Inadvertently Disclosed\n\n\n\n        C. Compared 1,779 System for Tracking and Analysis of Correspondence Impact\n           disclosure incidents to 4,321 Incident Tracking System disclosure incidents.\n        D. Compared 4,081 E-Trak System disclosure incidents to 4,321 Incident Tracking\n           System disclosure incidents.\nIII.    Determined whether appropriate decisions were made for notifying the taxpayer of\n        inadvertent disclosures of tax information.\n        A. Selected a statistical sample of 98 closed incidents from the population of\n           4,081 E-Trak System disclosure incidents using a confidence rate of 95 percent, a\n           precision rate of 5 percent, and an error rate of 7 percent. The error rate was\n           established from a probe sample of 15 randomly selected disclosure incidents\n           resulting in 1 (7 percent) of 15 incidents where the individual should have been\n           notified of Personally Identifiable Information disclosure.\n        B. Reviewed the sampled records and associated data in the IRS Incident Management\n           archived shared drawer and from the Office of Taxpayer Correspondence to\n           determine if appropriate decisions were made.\n        C. Using the sample from Step III.A., reviewed the Integrated Data Retrieval System4 to\n           determine whether the identity theft indicator had been input on the account.\nIV.     Determined whether taxpayers were notified timely of inadvertent disclosures.\n        A. Identified the business measure used to indicate timeliness of notification.\n        B. Using the sample from Step III.A., identified 27 incidents with notifications mailed to\n           taxpayers.\n        C. Reviewed the selected records to identify the length of time from the date the incident\n           was reported to or identified by the IRS and the date the notification letter was mailed\n           to the taxpayer.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the Incident Management Program\npolicies and procedures aimed at timely reaction and appropriate responses to occurrences of IRS\ndata losses, thefts, breaches and disclosures. We evaluated the internal controls by interviewing\n\n\n4\n  The IRS computer system capable of retrieving or updating stored information. It works in conjunction with a\ntaxpayer\xe2\x80\x99s account records.\n                                                                                                         Page 23\n\x0c                         Some Taxpayers Were Not Appropriately Notified\n                        When Their Personally Identifiable Information Was\n                                    Inadvertently Disclosed\n\n\n\nmanagement and reviewing policies, reports, and procedures; selecting and comparing the\ndisclosure incidents identified on four systems used to process disclosure incidents; and\nevaluating the response decision and timely notification of a statistical sample of 98 disclosure\nincidents.\n\n\n\n\n                                                                                           Page 24\n\x0c                       Some Taxpayers Were Not Appropriately Notified\n                      When Their Personally Identifiable Information Was\n                                  Inadvertently Disclosed\n\n\n\n                                                                             Appendix II\n\n                 Major Contributors to This Report\n\nMichael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account\nServices)\nAugusta R. Cook, Director\nPaula W. Johnson, Audit Manager\nLynn Faulkner, Lead Auditor\nJackie Forbus, Senior Auditor\nJerome Antoine, Auditor\nKevin O\xe2\x80\x99Gallagher, Information Technology Specialist\n\n\n\n\n                                                                                    Page 25\n\x0c                      Some Taxpayers Were Not Appropriately Notified\n                     When Their Personally Identifiable Information Was\n                                 Inadvertently Disclosed\n\n\n\n                                                                         Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nChief Technology Officer OS:CTO\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Wage and Investment Division SE:W\nDeputy Chief Information Officer for Operations OS:CTO\nDeputy Commissioner of Operations, Wage and Investment Division SE:W\nDeputy Commissioner of Services, Wage and Investment Division SE:W\nDirector, Privacy, Information Protection, and Data Security OS:P\nChief Information Officer OS:CTO:CIO\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nDirector, Communications, Liaison, and Disclosure, Small Business/Self-Employed Division\nSE:S:CLD\nDirector, Customer Account Services, Wage and Investment Division SE:W:CAS\nDirector, Cybersecurity Operation OS:CTO:O\nDirector, Privacy and Information Protection OS:P:PIP\nDirector, Strategy and Finance, Wage and Investment Division SE:W:S\nDirector, Taxpayer Correspondence, Wage and Investment Division SE:W:OTC\nDirector, Governmental Liaison and Disclosure, Small Business/Self-Employed Division\nSE:S:CLD:GLD\nChief, Program Evaluation and Improvement, Wage and Investment Division SE:W:S:PRA:PEI\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Technology Officer OS:CTO\n       Commissioner, Small Business/Self-Employed Division SE:S\n       Director, Privacy, Information Protection, and Data Security OS:P\n       Senior Operations Advisor, Wage and Investment Division SE:W:S\n\n\n\n                                                                                 Page 26\n\x0c                            Some Taxpayers Were Not Appropriately Notified\n                           When Their Personally Identifiable Information Was\n                                       Inadvertently Disclosed\n\n\n\n                                                                                             Appendix IV\n\n                                    Outcome Measures\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. These benefits will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Taxpayer Privacy and Security \xe2\x80\x93 Potential; 653 taxpayer accounts affected1 (see page 6).\n\nMethodology Used to Measure the Reported Benefit:\nFor the period October 1, 2008, to September 30, 2010, we reviewed a statistical sample of\n98 incidents to determine whether the IRS accurately decided to notify the taxpayers that their\nPersonally Identifiable Information was inadvertently disclosed. Our review determined the\nfollowing:\n    \xe2\x80\xa2   For 5 (5 percent) of the 98 decisions, the IRS did not notify the taxpayer their Personally\n        Identifiable Information was disclosed because the IRS did not document or retain the\n        necessary information to notify the affected taxpayer. Projected to the population of\n        4,081 inadvertent disclosures processed in Fiscal Years 2009 and 2010, there may have\n        been 204 incidents where the IRS acknowledged Personally Identifiable Information had\n        been disclosed but the IRS did not notify the affected taxpayers.\n    \xe2\x80\xa2   For 10 (10 percent) of the 98 incidents, the IRS did not notify the taxpayers that their tax\n        account information was disclosed because IRS procedures did not include tax account\n        information as Personally Identifiable Information. Projected to the population of\n        4,081 inadvertent disclosures processed in Fiscal Years 2009 and 2010, there may have\n        been 408 incidents where the IRS disclosed tax account information but the IRS did not\n        notify the affected individuals.\n    \xe2\x80\xa2   *************************************1**********************************\n        *********************1******************. Projected to the population of\n        4,081 inadvertent disclosures processed in Fiscal Years 2009 and 2010, there may have\n        been 41 incidents where the IRS became aware that a taxpayer\xe2\x80\x99s identity may have been\n        stolen by an individual but the IRS did not notify the taxpayer.\n\n\n1\n Our projections are conservative. Each incident may affect more than one taxpayer that may have had Personally\nIdentifiable Information disclosed but was not notified.\n                                                                                                       Page 27\n\x0c                             Some Taxpayers Were Not Appropriately Notified\n                            When Their Personally Identifiable Information Was\n                                        Inadvertently Disclosed\n\n\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Taxpayer Privacy and Security \xe2\x80\x93 Potential; 815 disclosure records affected (see page 17).\n\nMethodology Used to Measure the Reported Benefit:\nWe summed 812 incidents that were not transferred from the CSIRC2 portal to the Incident\nTracking System and 3 incidents that were not added to E-Trak System3 from the Incident\nTracking System.4 Each incident may affect more than one taxpayer that may have had\nPersonally Identifiable Information disclosed but the incident is not in the database for review.\n\n\n\n\n2\n  The CSIRC is the centralized reporting facility for all computer security privacy incidents.\n3\n  The E-Trak System is an off-the-shelf case-tracking tool used to respond to a public law.\n4\n  The Incident Tracking System provides an automated process to capture, process, and track incident data and\ngenerate reports.\n                                                                                                         Page 28\n\x0c                                Some Taxpayers Were Not Appropriately Notified\n                               When Their Personally Identifiable Information Was\n                                           Inadvertently Disclosed\n\n\n\n                                                                                                   Appendix V\n\n    Internal Revenue Service Employee Instructions on\n             Reporting Inadvertent Disclosures\n\nIRS employees, who become aware of an inadvertent disclosure of sensitive information, or the\nloss or theft of an information technology asset or hardcopy record or document containing\nsensitive information, are required to report the incident within 1 hour to each of the following,\nas applicable:\n       \xe2\x80\xa2   His or her manager, in all instances.\n       \xe2\x80\xa2   The Office of Taxpayer Correspondence, if the incident involves taxpayer\n           correspondence, using the Servicewide Notice Information Program Erroneous Taxpayer\n           Correspondence Reporting Form. The scope of this form has been expanded to include\n           electronic communication like faxes, transcripts, and email messages. The Office of\n           Taxpayer Correspondence will notify the CSIRC1 as necessary after an initial analysis of\n           the incident. This procedure minimizes the potential for inaccurate, incomplete, and\n           duplicate reporting of incidents to the CSIRC, lessens the operational impact of reporting\n           an incident, and focuses resources on correcting the error to prevent additional\n           breaches/losses.\n       \xe2\x80\xa2   The CSIRC, if the incident does not involve taxpayer correspondence (for example, a\n           verbal disclosure, lost laptop, data disk, or packages lost during shipment), using the\n           Computer Security Incident Reporting Form or by calling 1-866-216-4809.\n       \xe2\x80\xa2   The Treasury Inspector General for Tax Administration, if the incident involves the loss\n           or theft of an information technology asset (e.g., computers, laptops, routers, printers,\n           removable media, CD/DVD, flash drive, floppy) or hardcopy records/documents, at\n           1-800-366-4484.\n       \xe2\x80\xa2   The Modernization and Information Technology Services organization Enterprise\n           Services Help Desk, if the incident involves the loss or theft of an information technology\n           asset.\n\n\n\n\n1\n    The CSIRC is the centralized reporting facility for all computer security privacy incidents.\n                                                                                                        Page 29\n\x0c                          Some Taxpayers Were Not Appropriately Notified\n                         When Their Personally Identifiable Information Was\n                                     Inadvertently Disclosed\n\n\n\n                                                                                       Appendix VI\n\n    Flowchart of the Disclosure Notification Process\n\n\n\n\nSource: IRS Incident Management Program. IM = Incident Management Program. PII = Personally Identifiable\nInformation. POC = Point of Contact. PIPDS = Privacy, Information Protection, and Data Security.\nT/P = Taxpayer. UPS = United Parcel Service.\n\n\n\n\n                                                                                                 Page 30\n\x0c        Some Taxpayers Were Not Appropriately Notified\n       When Their Personally Identifiable Information Was\n                   Inadvertently Disclosed\n\n\n\n                                                  Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                            Page 31\n\x0c Some Taxpayers Were Not Appropriately Notified\nWhen Their Personally Identifiable Information Was\n            Inadvertently Disclosed\n\n\n\n\n                                                     Page 32\n\x0c Some Taxpayers Were Not Appropriately Notified\nWhen Their Personally Identifiable Information Was\n            Inadvertently Disclosed\n\n\n\n\n                                                     Page 33\n\x0c Some Taxpayers Were Not Appropriately Notified\nWhen Their Personally Identifiable Information Was\n            Inadvertently Disclosed\n\n\n\n\n                                                     Page 34\n\x0c Some Taxpayers Were Not Appropriately Notified\nWhen Their Personally Identifiable Information Was\n            Inadvertently Disclosed\n\n\n\n\n                                                     Page 35\n\x0c'